From be8c4cb24afd45c9d057288167cbff9f9dc09e6e Mon Sep 17 00:00:00 2001 From: Klaus Post Date: Thu, 21 Jul 2022 10:26:59 -0700 Subject: [PATCH] fix: support multiple validateAdminReq actions (#15372) handle multiple validateAdminReq actions and remove duplicate error responses. --- cmd/admin-bucket-handlers.go | 7 ------- cmd/admin-handler-utils.go | 13 +++++++++++-- cmd/admin-handlers-users.go | 1 - 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/cmd/admin-bucket-handlers.go b/cmd/admin-bucket-handlers.go index 7c5043a99..a648a7a05 100644 --- a/cmd/admin-bucket-handlers.go +++ b/cmd/admin-bucket-handlers.go @@ -63,7 +63,6 @@ func (a adminAPIHandlers) PutBucketQuotaConfigHandler(w http.ResponseWriter, r * objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.SetBucketQuotaAdminAction) if objectAPI == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } @@ -126,7 +125,6 @@ func (a adminAPIHandlers) GetBucketQuotaConfigHandler(w http.ResponseWriter, r * objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetBucketQuotaAdminAction) if objectAPI == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } @@ -171,7 +169,6 @@ func (a adminAPIHandlers) SetRemoteTargetHandler(w http.ResponseWriter, r *http. // Get current object layer instance. objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.SetBucketTargetAction) if objectAPI == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } @@ -300,7 +297,6 @@ func (a adminAPIHandlers) ListRemoteTargetsHandler(w http.ResponseWriter, r *htt // Get current object layer instance. objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.GetBucketTargetAction) if objectAPI == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } if bucket != "" { @@ -340,7 +336,6 @@ func (a adminAPIHandlers) RemoveRemoteTargetHandler(w http.ResponseWriter, r *ht // Get current object layer instance. objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.SetBucketTargetAction) if objectAPI == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } @@ -386,7 +381,6 @@ func (a adminAPIHandlers) ExportBucketMetadataHandler(w http.ResponseWriter, r * // Get current object layer instance. objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ExportBucketMetadataAction) if objectAPI == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } var ( @@ -642,7 +636,6 @@ func (a adminAPIHandlers) ImportBucketMetadataHandler(w http.ResponseWriter, r * // Get current object layer instance. objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ImportBucketMetadataAction) if objectAPI == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } data, err := ioutil.ReadAll(r.Body) diff --git a/cmd/admin-handler-utils.go b/cmd/admin-handler-utils.go index 2d7491443..3a918a5a7 100644 --- a/cmd/admin-handler-utils.go +++ b/cmd/admin-handler-utils.go @@ -30,6 +30,10 @@ import ( iampolicy "github.com/minio/pkg/iam/policy" ) +// validateAdminReq will validate request against and return whether it is allowed. +// If any of the supplied actions are allowed it will be successful. +// If nil ObjectLayer is returned, the operation is not permitted. +// When nil ObjectLayer has been returned an error has always been sent to w. func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Request, actions ...iampolicy.AdminAction) (ObjectLayer, auth.Credentials) { // Get current object layer instance. objectAPI := newObjectLayerFn() @@ -41,11 +45,16 @@ func validateAdminReq(ctx context.Context, w http.ResponseWriter, r *http.Reques for _, action := range actions { // Validate request signature. cred, adminAPIErr := checkAdminRequestAuth(ctx, r, action, "") - if adminAPIErr != ErrNone { + switch adminAPIErr { + case ErrNone: + return objectAPI, cred + case ErrAccessDenied: + // Try another + continue + default: writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(adminAPIErr), r.URL) return nil, cred } - return objectAPI, cred } writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL) return nil, auth.Credentials{} diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go index 1ed2f88b0..005847331 100644 --- a/cmd/admin-handlers-users.go +++ b/cmd/admin-handlers-users.go @@ -1553,7 +1553,6 @@ func (a adminAPIHandlers) ExportIAM(w http.ResponseWriter, r *http.Request) { // Get current object layer instance. objectAPI, _ := validateAdminReq(ctx, w, r, iampolicy.ExportIAMAction) if objectAPI == nil { - writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrServerNotInitialized), r.URL) return } // Initialize a zip writer which will provide a zipped content